Post navigation

Release 1.5.5

This is another security release, the exploit is documented as CVE-2015-3297 — If a specifically formatted URL is used to access Etherpad a file can be read from the filesystem. This issue has existed in Etherpad since 2012 so pretty much all deployments will be effected.

We have been doing a lot of security releases lately as we complete our third security audit. Our apologies for creating such a fire under admins to update so frequently lately.

SECURITY: Traversing URL exploit
NEW: Default Pad options can now be defined in settings.json, see the Etherpad Template file for reference.
NEW: sessionKey is now automatically generated and stored in the file system.
NEW: Logic for handling pad creation with illegal characters
FIX: IE10 now works
FIX: html10n missing semicolons, prevents warnings
FIX: Importing of Large .Etherpad files no longer crashes the server
UPDATES: Update all stuck dependencies (Inc underscore)
UPDATES: Update to Express 4
UPDATES: We no longer support IE8